i. An update on Jerseys GDPR law drafting.
ii. This update will form part of Matthew fuller presentation at the December number four workshop on the 12th December.

b. Mark Saville from Data2Vault and John Macknight from CRArisk will as the keynote speakers talk about

i. How businesses in Jersey and elsewhere should deal with data breaches and data loss (cyber breaches). Mark and John will also provide guidance on how to build a programme of controls and actions that will enable firms to demonstrate they have an effective response to such incidents.

The risk of cyber breaches

1. Businesses are becoming increasingly aware that data breaches and data loss, whether caused by cyber incidents or by accident, can happen in a variety of ways to both small and large companies, often through human error, and without malice.

2. As well as investing in prevention tools, businesses need to have a plan about how to keep their business up-and-running, while safeguarding their unique digital assets should something go wrong.

3. In many instances, most regulators understand that even the best run companies can suffer from a cyber-attack, loss or breach, but rarely forgive an Ineffective Response – which could, in turn, lead to a regulatory investigation, leading to further disruption to your business and costs that could include a fine.

Cost triggers

1. Typically when businesses suffer a cyber-attack or data breach, there are three possible COST STAGES, these being

a) The First costs incurred are investigating, remediating and then reporting

b) The Second costs are where Legal suits are filed, or complaints made

c) The Third costs is the possibility of a GDPR regulatory fine

Cost summary

1. The first stage is an opportunity to limit the adverse consequences of the second stage, a stage that could be expensive and disruptive to a company.

2. Looking at stage 3 under the EU GDPR regulation due to be in force in May 2018, it states that notice of a data breach must be provided ‘without undue delay and, where feasible, not later than 72 hours after having become aware of it.

3. If no notification is made within 72 hours, the data controller must provide a ‘reasoned justification’ for the delay. If you fail this, the third test, you may be liable to a fine.

Effective response guidelines to save you money

1.Speakers Mark Saville from Data2Vault and John Macknight from CRArisk will look at the above matters and in doing so, they will discuss the following effective response to allow delegates to consider

a. Their policies, procedures and working practices, and

b. What appropriate risk measures should be implemented to minimise the impact of a cyber attack, breach and or data loss, that includes:-